Information Security – The first steps towards InfoSec

The topic of Information Security (InfoSec) can be highly confusing and complicated. Public discussion is often limited to rare, complex, or expensive exploits that target leaders of state and celebrities. If they, with their expertise and vast source of funds and resources, cannot defend themselves, how can we?

Luckily, despite the overwhelming issues and negative news, InfoSec is easily approachable by anybody with information to protect. While everyone will state absolute security is not possible, it requires little to no effort to reach a good level of security, and only marginally more to protect ourselves from all kinds of untargeted attacks—including ransomware, phishing and unauthorized access to our computer, data, and accounts.

Security is not a binary option. We are never either secure or insecure. What matters is how expensive it is for people to attack you. Without any of the following advice, it becomes trivial to spread malware, and even low-skilled and underfunded groups can make you a target.

With relatively little effort and at low cost, you can make it highly expensive for anyone to exploit your systems. Already most groups will not bother you unless you’re a high-value target. And it isn’t very difficult to raise your guard to the extent that you only need to worry about the most powerful hacking groups and nation states (who would still have to spend millions of dollars in the hope of attacking you).

1. Update your software

You can protect yourself against almost all system vulnerabilities by updating as soon as updates become available. Ideally, enable updates to install automatically in the background so that you don’t have to remember it.

The sad truth is that all software has holes, mistakes, and errors. And some of these can give malicious software access to your computer. Depending on the vulnerability, a compromise could begin with a USB stick, browsing a website or just simply connecting to the internet.

Researchers, criminals, and government agencies continually search for unknown vulnerabilities in software, either to report them to the vendor (often for a bounty), to sell the vulnerability, or to use them to attack enemies for political or financial gain.

Unpatched vulnerabilities are known as “zero-days,” and before the public is aware of them, they’re only a problem for the most high-value targets. It costs hundreds of thousands of dollars to find or buy zero-day vulnerability (attackers with knowledge of the vulnerability don’t want others to have it or, worse, fix it).

As soon as a vulnerability is known, however, it becomes trivially cheap to use it, and this is when most people are likely to suffer an attack. Older versions of software, without a fix, are suddenly cheap and easy to attack.

Update your software now! If your device no longer receives updates, you shouldn’t use it in a network, and especially not on the internet.

2. Install software only from trusted sources

Removing copyright restrictions from commercial software has become more difficult, and criminal groups dominate the market.

Often, criminals capitalize their efforts by bundling spyware and malware with the pirated (or ‘cracked’) software they release. The creators of the malware will make money by selling your data, or worse, using it for blackmail or ransom.

To stay secure, only download software from official sources and do not circumvent restrictions such as the ones imposed by the Apple App Store or the Google Play Store. Software from these platforms is far less likely to be bundled with malware as the operators of these repositories scan the software adequately for malware and strive to remove backdoored applications.

When downloading software from the internet, make sure you are on the correct website, and that you’re indeed downloading the original version. Be careful of software hosted by third parties.

3. Secure your accounts

A good password is essential to secure computers and online accounts. Ideally, use a password manager which will store long, unique, and random passwords, so you don’t have to remember them.

You should also avoid using patterns in your passwords, as a skilled attacker could guess all your passwords after just one is compromised.

For your most valuable or sensitive accounts, such as email, cloud storage, or social media, an extra line of defense is appropriate. Two-factor authentication will prompt you for an additional password when you log in. This code could be sent to you by email, a text message, or you can create one with an authenticator or hardware device.

Codes generated by an authenticator or hardware device provide the strongest form of protection, but a code sent via text message is better than none.

4. Encrypt your data

To further protect from account breaches, untrustworthy services, and nondiscriminatory data theft, you should encrypt your data.

Chats and voice calls are the easiest to encrypt. Whatsapp and Signal will both encrypt your chats and calls by default. Many other chat apps offer encryption too, although there can be big differences in how the security is applied.

You can also encrypt your emails and files with technology like PGP or Veracrypt.

It’s also important to encrypt your computer’s hard drive. Some operating systems do this by default, but with Android, Linux, and Windows systems it’s worth checking if this option is enabled.

5. Log out of social media and block trackers

Every time you hover your mouse too long over an ad, an image, or a paragraph, an algorithm will store it as a personal preference. This data is then cross-referenced with known information about you.

Cookies can identify you if you return to a website repeatedly. Large organizations, such as Google or Facebook, embed their code on millions of websites through analytics platforms or share buttons.

This code allows them not only to see what you do on their platforms but also on other sites. They can use the information they already have about you, like payment details, names, friends, location, political, and religious affiliation, then enrich it with your general browsing activity. Together with information bought openly on the markets (e.g., your credit card history or loyalty card records), they can build a complete profile of you.

At first, this information is gathered purely for advertising purposes, but it can be used in other ways if the data gets into the wrong hands, for example, to target you with crime, impersonate you, or deny you civil rights.

An efficient way to block this kind of tracking is to install an adblocker like uBlock Origin or the Privacy Badger. These programs block third party sites that place a code on the sites you visit, making it easy to decide who can or cannot set cookies.

Additionally, you might want to log out of your social networks, or only open them in a separate incognito window.

6. Make use of anonymity networks

The next easy step is to anonymize yourself further is to hop onto an anonymity relay network. The strongest and most popular of these networks is the Tor Network, but paid Virtual Private Networks (VPNs) can provide privacy at a higher speed.

An anonymity network, proxy network, or VPN encrypts all data between a home network and a server located somewhere else. As long as you can trust the proxy provider more than you can trust your Internet Service Provider, these anonymity networks are an excellent way to make spying and censorship on your local network even harder.

InfoSec is an Ongoing Process

There are, of course, far more steps if you wish to make your devices, networks, and data more secure to all kinds of intrusions, theft, and compromises. But while InfoSec is a subject some people dive their entire lives into, it’s nothing to be intimidated by.

Fortunately, the first steps are easy and highly efficient. With just the six tools mentioned above, you make it extraordinarily difficult for a typical attacker to compromise you.

Hacking and spying are often a question of funding. By raising the cost barrier of hacking, you make yourself an unattractive target. Only if you consider yourself a high-value target should you worry about the risks not outlined in this article.